I’m excited to share that the first six chapters of my new book, Dynamic Authorization: Adaptive Access Control, are now available through Manning’s Early Access Program (MEAP). You can start reading today at Manning’s site. As part of the launch, Manning is offering 50% off.
I wrote this book because I noticed something curious in the identity world: while authentication has largely become a solved problem—at least technically—authorization remains widely misunderstood. Many organizations still rely on outdated models like static role-based access control, which don’t hold up in today’s distributed, collaborative, and zero-trust environments. But the landscape is changing. New tools, such as Cedar, give us the means to create authorization systems that provide better security while also making life easier for employees and customers.
The first chapters of the book lay out this problem space and begin introducing modern approaches. Chapter 1 frames the challenge of authorization in today’s systems. Chapters 2 introduces the broader topic of digital identity, while chapter 3 drills down on authentication. Chapter 4 introduces authorization with chapters 5 outlining old-school static authorization tecahniques and chapter 6 diving into dynamic models: relationship-based access control (ReBAC), attribute-based access control (ABAC), and policy-based access control (PBAC). To make these ideas concrete, I use practical examples drawn from a fictional company, ACME Corp. to motivate the material and show how it is used in life-like scenarios.
Looking ahead, later chapters will introduce Cedar, the open-source policy language from AWS, and compare it with other frameworks like OPA/Rego and XACML. I’ll also cover how to implement policies effectively, treat them as code, and test them for reliability. My goal is to help practitioners understand both the “why” and the “how” of dynamic authorization so they can design systems that adapt to real-world complexity.
If you’ve ever struggled with brittle role hierarchies, confusing permission schemes, or the tension between security and usability, this book is for you. And since it’s in MEAP, you can start reading now and follow along as new chapters are released. I'm open to your feedback and suggestions.